Release notes: SecureAuth CIAM 2.24.0

Added a new None (PKCE) authentication method for the generic OIDC IdP. Introduced a Use PKCE flag when using Client Secret or Private Key JWT.

Introduced a new feature flag: enforce_system_admin_workspace_access. When enabled, it restricts access to system/admin workspace entities via admin APIs unless admin_workspace_access or system_workspace_access is also enabled.

APIs excluded from this enforcement:

Additionally, list workspaces and list servers APIs now exclude system/admin workspaces if enforcement is enabled and access flags are not.

When the the acr feature flag is enabled, new workspaces include sample ACRs with policies that replace legacy NIST policies. These are disabled by default to avoid appearing in the well-known configuration but can be enabled for testing. Policies use new validator to enforce any one or any two authentication factors.

Support for max_age=0 in authorize flow to force user authentication, similar to prompt=login.

Improved DCR behavior: if the policy fails, DCR scopes or authorization details are excluded instead of rejecting the entire request.

Added client timeout support to the root CLI.

Extended root APIs to support license management for tenants.

Added tenant metadata to the authorization engine input.

Added system APIs for managing client secrets.

Exposed the Verify Authentication Code (System) API and enhanced Inspect OTP to return code type.

Introduced granular system scopes:

These can replace manage_configuration in hub workspace management APIs.

Updated the client import/create API to support multiple base64-encoded certificates in the certificate field, separated by new lines. Deprecated the single-certificate format.

Added support to initialize admin/system workspaces via import configuration API.

Extended Just-In-Time (JIT) provisioning with a new pre mode. In this mode, the user must already exist in the identity pool and is not auto-provisioned.

Supported fallback settings:

JIT audit logs now include provisioning mode and pre-provisioning settings.

Under the acr feature flag:

Added more client details to template rendering, enabling better customization in themes.

Extended the Enforce ACRs flag to validate acr_values in the authorize flow. If none are specified (explicitly or via client defaults), the flow fails with an invalid request - applies only when the acr feature flag is enabled.

Also removed ACR enforcement for OpenBanking UK and KSA due to deprecated usage.

Added test coverage (happy paths) for all endpoints introduced in the groups epic.

Added configuration to disable user self-reset credential flows during authentication. Managed in Identity Pool settings.

When the acr feature flag is enabled and set via Custom Login Page or IDP Post Authentication Script, the configured ACR policy is evaluated.

Enabled predefined ACRs in CDR, OpenBanking UK, OpenBanking BR, and KSA workspaces when the acr feature flag is enabled. These use policies to validate ACRs from the Custom Login Page or Post Authentication Script.

Marked acr_values from server advanced settings as deprecated.

Added mobile/desktop toggle in theme preview to visualize templates across devices.

Fixed incorrect grant_type in refresh_token flows. Now correctly shows refresh_token instead of the original grant type.

Added circuit breaker to the SMTP client for improved reliability.